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Abstract 

Minesweeper is one of the millions M$ games and in this tutorial I will explain 
you how to add a new feature on the game. The new feature will give you the 
ability to view where the bombs are. 

Target: 

Minesweeper (English version for WinXP/W2k) 
Program description: 

Don't you ever played with this game in your boring days? I can't believe you :-p 
Tools: 

- a debugger (Ollydbg) 

- a disassembler (Ida) 

- a resource editor (Resource Hacker) 

- Spy++ 

- c and asm compiler (Ice, masm) 
music: Black Sabbath - Black Sabbath 



Preamble 

We will show where the bombs are as a * mouse-over* effect as the cursor 
moves over each grid square. We will add all the modifications inside a dll and 
we will write a loader to patch the program in memory. This is not only a 
reversing exercize but also a programming exercize because you will have to 
code a dll, work with GDI and finally write a little loader. This tutorial is a resume 
(with some differences) of a project at the RCE board, you can find the thread 
here (http://66.98. 132. 48/forum/showthread.php?t=5003). We start finding all 
the places where we will have to put a jump to our code; after that we will write 
the code to add to the program, we will write the dll and finally a little loader. 
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1. Find the point where to add the new menu item 

We should be able to pass from normal to cheat mode (and viceversa) therefore 
the best way is to use a new menu item. I will add the new item inside 'Game' 
menu, after the 'New' item. 

We can use a resource editor but remembering that we need to patch the file in 
memory, we have to think in a different way. How can I add a new item into an 
existing menu? We can use the function I nsertMenultem. This function will be 
placed into a cave with all the other modifications needed by the program. We 
will see later how to use this function, for the moment you only have to know 
that I nsertMenulTem will be called in the initialization part of the program, 
exactly after the menu has been loaded (because it needs the menu handle...). 
Now, we should find the place where to insert the jump to the new cave. The 
program uses LoadMenu to load the menu: 



010014B9 push lF4h ■ lpMenuName 

010014BE push hlnstance < — hlnstance 
010014C4 call ds : LoadMenuW 

010014CA push lF5h ■ lpTableName 

010014CF mov hMenu, eax 

010014D4 push hlnstance < — hlnstance 
010014DA call ds : LoadAcceleratorsW 
010014E0 mov [ebp+hAccTable] , eax 
010014E3 call sub_10023DB 
010014E8 mov eax, dword_10052A4 
010014ED mov ecx, yBottom 



When the menu has been loaded you can insert the new item, I decided to put a 
jump to the code that will call the I nsertMenultem directly at 10014E8. I did 
choose this particular address only because it has the same number of bytes of 
the new jump instruction... 
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2. Find the point where the program checks whether a 
menu item has been pressed 

This task is useful because we need to add/manage the new menu item, the 
special mode option. If you check the 'special mode' item, the game will show 
you the bomb, otherwise the game will remain the same. 

There are many ways to solve this second point. 

- You can use Spy++, a little application that gives you a view of many 
informations about a process that is running on your system. 

Run Minesweeper and then run Spy+ + . You will see a list of the running 
processes, find Minesweeper process and double click on it. A dialog will show 
you some informations about the game, one of them is the window procedure. 

- Another way to locate the window procedure is to use Ida. 

This is more or less the way explained by +Spath in his tutorial. Load the file into 
ida and press ctrl-p; a dialog appears. This dialog contains the functions used by 
the program and, we are interested in WinMain function, the one used to define 
the window class. This is useful because from here you can understand where 
the window procedure is. The program uses RegisterClassW function to register 
the window class: 

ATOM RegisterClass ( 

CONST WNDCLASS *lpWndClass // address of structure with class 

data 

) ; 

and: 

typedef struct _WNDCLASS { 

UINT style; 

WNDPROC lpfnWndProc; 

int cbClsExtra; 

int cbWndExtra; 

HANDLE hlnstance; 

HICON hlcon; 

HCURSOR hCursor; 

HBRUSH hbrBackground; 

LPCTSTR IpszMenuName; 

LPCTSTR IpszClassName; 
} WNDCLASS; 
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This structure contains the window attributes; we are interested in IpfnWndProc 
because it points to the window procedure. Look at the disasm Ida gave you and 
take the address we were looking for: 



:01001472 mov [ebp+WndClass . style] , edi < 

style param 

:01001475 mov [ebp+WndClass . IpfnWndProc] , offset sub_100180A 
IpfnWndProc param, our address is 100180A 
:0100147C mov [ebp+WndClass . cbClsExtra] , edi <— 
cbClsExtra param 

:0100147F mov [ebp+WndClass . cbWndExtra] , edi < 

cbWndExtra param 

:01001482 mov [ebp+WndClass . hlnstance] , ecx < 

hlnstance param 

:01001485 mov [ebp+WndClass . hlcon] , eax < 

hlcon param 

01001488 call ds : LoadCursorW 

0100148E push ebx ; int 

0100148F mov [ebp+WndClass . hCursor] , eax < 

hCursor param 

:01001492 call ds : GetStockOb ject 

:01001498 mov [ebp+WndClass . hbrBackground] , eax < 

hbrBackground param 

0100149B lea eax, [ ebp+WndClass ] 

0100149E mov esi, offset AppName 

010014A3 push eax ; lpWndClass 

010014A4 mov [ebp+WndClass . IpszMenuName] , edi < 

IpszMenuName param 

:010014A7 mov [ebp+WndClass . IpszClassName] , esi <— 
IpszClassName param 

:010014AA call ds : RegisterClassW < 

RegisterClassW 



Ok, now that we know where the window procedure is, it's time to use a 
debugger, Ollydbg. 

Load the program and jump to the window procedure, we need to set a 
breakpoint. Remembering that we are trying to find the part of the procedure 
which check whether a menu item is clicked, we need to break if and only if a 
menu item is clicked. When an item is clicked, a specific WM COMMAND 
message is sent to the procedure. This specific message contains the menu item 
identifier (the one you have clicked on) in the loworder word of the wParam 
parameter. 
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Take a look at the first part of the window procedure: 



0100180A PUSH EBP 
0100180B MOV EBP, ESP 
0100180D SUB ESP, 40 

01001810 MOV ECX, DWORD PTR SS:[EBP+C] - ecx is the message 

[i.e. WM_COMMAND) 
01001813 PUSH EBX 



If we want to catch the click over one of the menu item we need to set a 
conditional breakpoint (Shift+F2) at 1001810. The condition I have used is: 

[EBP+OCh] ==111H && [EBP+10H] ==209H 

where '[EBP+0Ch] ==lllH' checks for the WM COMMAND message and 
'[EBP+10H]==209H' checks whether the 'Beginner' menu item is been clicked 
(you can use your preferred menu item :-)). Run the program and click on the 
chosen item, Oily breaks. Steps a little and you will surely find the place where 
the program checks which menu items is been pressed: 



:010018B7 MOV EAX, 111 

:010 018BC CMP ECX, EAX < • Is WM_COMMAND 

received? 

:010018BE JA winmine . 0 1 0 0 1B3F 

:010018C4 JE winmine . 010 01 9AD - We jump if a 

WM_C OMMAND has been received 

:010019AD MOV ECX, DWORD PTR SS:[EBP+10] - ecx is the wParam 

:010019B0 MOVZX EAX, CX <— - eax is the item 

identifier 

:010019B3 CMP EAX, 20B <— ■ Is "Expert" item 

clicked? 

:010019B8 JG SHORT winmine . 0 1 0 0 1 A3 0 

:010019BA CMP EAX, 209 < ■ Is "Beginner" item 

clicked? 

:010019BF JGE SHORT winmine . 0 1 0 0 1 9EE 



This piece of code is what we were looking for; since we will have to check 
whether the new menu item has been clicked, we will change the jump at 
10018C4 into a new jump. We will see later how the code will look like. 



Copyright © 2004 and published by the CodeBreakers-Journal. Single print or electronic copies for personal use 
only are permitted. Reproduction and distribution without permission is prohibited. 



The CodeBreakers- Journal, Vol. 1, No. 2 (2004) 



3. Find the point where the program checks whether a 
WM_MOUSEMOVE has been received 

This is necessary because from here we will jump to the dll function that shows a 
possible bomb. In order to find the place where the program checks for 
WM_MOUSEMOVE message we will change the conditional breakpoint; the new 
condition will be: [EBP+0Ch]==200H 



01001B3F 
01001B42 
01001B47 
01001B49 
01001B4B 
received? 
: 01001B4D 
: 01001B4E 
: 01001B50 
received 



MOV EAX, DWORD PTR SS:[EBP+C] < — the received message 

MOV ESI, 200 <-■ 200h = WM_MOUSEMOVE 

PUSH 1 

XOR EDI, EDI 

CMP EAX, ESI <-■ ■ is WM_MOUSEMOVE 

POP EBX 

JA SHORT winmine . 01001BB4 

JE winmine . 01001DD5 <— - yes, WM_MOUSEMOVE 



Stepping a little you will see that this type of message is not so useful for the 
original program therefore we will change the jump at 1001B50. 



4. How to modify the Minesweeper process 

First of all we have to find a place where we will go to insert the new code; there 
are many caves inside the file, you must only choose one of them. I will add the 
new code starting from 10049A5h. What does this new code is supposed to do? 
It adds the new item menu and then it simply calls a function from our dll. 
I nsertMenultem is not imported by the program and so we will have to use the 
combination of LoadLibrary/GetProcAddress functions. To use these two functions 
is pretty easy. 

LoadLibrary: it's the first function to use and it maps the dll module into the 
address space of the calling process. The function returns a handle that can be 
used in GetProcAddress to get the address of a dll function. 



HINSTANCE LoadLibrary ( 

LPCTSTR lpLibFileName // address of the string that names the 
executable module 
) ; 

GetProcAddress: returns the address of the exported dll function. 

FARPROC GetProcAddress ( 

HMODULE hModule, // handle to DLL module (the value returned 

by LoadLibrary) 

LPCSTR lpProcName // address of the string that names the 
function 

) ; 
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Now that you know how to call I nsertMenultem we can see how this function 
looks like: 

BOOL WINAPI InsertMenuItem ( 

HMENU hMenu, // Handle to the menu in which the new 

menu item is inserted 

UINT ultem, // Identifier or position of the menu item 

before which to insert the new item 

BOOL fByPosition, // If FALSE, ultem is a menu item 

identifier. Otherwise, it is a menu item position 

LPMENUITEMINFO lpmii // Pointer to a MENUITEMINFO structure 
that contains information about the new menu item 

) ; 



and: 



typedef struct tagMENUITEMINFO 



UINT cbSize; 
UINT fMask; 
UINT fType; 
UINT fState; 
UINT wID; 
identifies the menu item 
HMENU hSubMenu; 



// Size of structure, in bytes 

// Members to retrieve or set 

// Menu item type 

// Menu item state 

// Application-defined 16-bit value that 



// 



Handle to the drop-down menu or 
submenu associated with the menu item 

HBITMAP hbmpChecked; // Handle to the bitmap to display next 

to the item if it is checked 

HBITMAP hbmpUnchecked; // Handle to the bitmap to display next 
to the item if it is not checked 

DWORD dwItemData; // Application-defined value associated 

with the menu item 

LPTSTR dwTypeData; // Content of the menu item 

UINT cch; // Length of the menu item text 

} MENUITEMINFO, FAR * LPMENUITEMINFO, • 



Even if there are alot of parameters, the use of this function is pretty easy. 
This is the code you have to inject into the Minesweeper program: 



:010049A5 ; Initial address of the cave I chose 
:010 04 9A5 dword_10 04 9A5 dd 0 

specialMode is enable otherwise specialMode=00h 
:010049A6 aZaiwinmine_dll db ' zaiWinmine . dll ' , 0 ; 
new DLL 

:010049B5 aUser32_dll db ' User32 . dll ' , 0 

inside USer32.dll 

; The name of the 2 exported functions: 

:010049C0 aChangeitemstat db ' changeltemStatus ' , 0 

status of the itemmenu 

:010049D1 aRevealcell db ' revealCell ' , 0 

under a cell 

:010049DC dword_10049DC dd 0 
address of changeltemStatus function 
:010049E0 dword_10049E0 dd 0 
address of revealCell function 

:010049E4 alnsertmenuitem db ' InsertMenuItemA ' , 0 



specialMode=08h if 
The name of the 
InsertMenuItem is 

; Changes the 

; Reveals a bomb 

; Stores the 

; Stores the 
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:010049F4 aSpecialMode 
in the new menu item 
; MENUITEMINFO structure: 
01004A01 dd 2Ch 
01004A05 dd 42h 
01004A09 dd 0 
text string 
:01004A0D dd 0 
:01004A11 dd 212h 
:01004A15 dd 0 
down menu or submenu 
:01004A19 dd 0 
:01004A1D dd 0 
:010 04A21 dd 0 
:01004A25 dd 10049F4h 
defines the text of the 
:010 04A2 9 dd 4 



db 'Special Mode ' , 0 



Text to be place 



Size of structure: 11 dwords = 2Ch bytes 
MIIM_ID + MI IM_STRING 

MFT_STRING, displays the menu item using a 

Default state 
Id of the new item 

NULL because the item does not open a drop- 

NULL, default check mark 
NULL 
NULL 

The pointer to a null-terminated string that 
new item 

The length of the string 



:01004A2D ; From initialization (10014 
save the address of changeltemStatus a 
:01004A2D push offset loc_10014ED 

to 

01004A32 pusha 

01004A33 push offset aUser32_dll 
01004A38 call ds : LoadLibraryA 
01004A3E push offset alnsertmenuitem 
01004A43 push eax 
01004A44 call ds : GetProcAddress 
function 

:01004A4A mov ebx, offset hMenu 
:01004A4F push offset dword_1004A01 
structure 

01004A54 push 0 

01004A56 push 0 

01004A58 push dword ptr [ebx] 

01004A5A call eax 

01004A5C push offset aZaiwinmine_dll 

of the dll 

:01004A61 call ds : LoadLibraryA 
:01004A67 mov esi, eax 

:01004A69 push offset aChangeitemstat 
:01004A6E push esi 
:01004A6F call ds : GetProcAddress 
:01004A75 mov ds : dword_100 4 9DC, eax 

changeltemStatus 

:01004A7A push offset aRevealcell 
:01004A7F push esi 
:01004A80 call ds : GetProcAddress 
:01004A86 mov ds : dword_l 00 4 9E0 , eax 

revealCell 
01004A8B popa 

01004A8C mov eax, dword_10052A4 
01004A91 retn 



E8) : we add the new item and 
nd revealCell 

; Address from where to return 



"User32.dll" 
Maps User32.dll 
"InsertMenuItemA" 
Handle to dll module 
Get the address of the 



Pointer to a MENUITEMINFO 
FALSE 

The position of the item 
Handle to the menu 
call InsertMenuItem 
"zaiWinmine.dll", the name 



; "changeltemStatus" 

; Stores the address of 

; "revealCell" 

; Stores the address of 

; Jump to the original code 



:01004A92 ; From ' specialMode ' item clicked (10018C4) 
changeltemStatus 



we call 
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:01004A92 push offset loc_10019AD ; Address from where to return 

to 

01004A97 pusha 

01004A98 call ds : dword_10049DC ; call changeltemStatus 

01004A9E jmp short loc_1004AB6 

:01004AA0 ; From WM_MOUSEMOVE event (1001B50): we call revealCell 

:01004AA0 push offset loc_1001DD5 ; Address from where to return 
to 

01004AA5 cmp ds : byte_l 0 0 4 9A5 , 0 ; Is the special mode enable? 

01004AAC jnz short loc_1004AAF ; Yes, jump down 

01004AAE retn ; specialMode is disable, no 

need to show the bomb, jump back to the original code 
01004AAF pusha 

01004AB0 call ds : dword_10049E0 ; call revealCell 
01004AB6 popa 

01004AB7 retn ; Jump back to the original 
code 



Now, we have to modify the instructions at 10014E8, 10018C4 and at 1001B50 
because they have to jump to the new code: 

:010014E8 jmp loc_1004A2D 
:010018C4 jz loc_1004A92 
:01001B50 jz loc_1004AA0 



4. 1. DLL functions 

We have seen all the modifications we will have to add to the program; from now 
on, we will see how to write the 2 dll functions: 

- changeltemStatus, this function will check/uncheck the menuitem enabling or 
disabling the special mode. 

- revealCell, this function reveals a bomb under a cell. 



4.2. changeltemStatus 

To check/uncheck the item I will use CheckMenultem function: 

DWORD CheckMenultem ( 

HMENU hmenu, // handle to menu 

UINT uIDCheckltem, // menu item to check or uncheck 

UINT uCheck // menu item flags 

) ; 
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An easy function to use. It needs: 

1. the handle of the menu. We don't have the handle but since the function is 
imported and since some of the items of the menu could be checked/ unchecked, 
the easiest way to retrieve the handle is to put a breakpoint on this function and 
hit one of the checked items, for example the 'sound' item. Perfect, Oily will 
break showing us where the handle is stored. 

2. the id of the menu. It's the number we gave to our new item. 

3. we are interested in two values: 
MF_CHECKED (08h): sets the check- mark attribute to the checked state. 
MF_UNCHECKED (OOh): sets the check-mark attribute to the unchecked state. 

I did write the dll in asm but no one will stop you from writing it in other 
languages. Here is the first function: 



; Change the status of the new item 
changeltemStatus proc 

.IF word ptr [ebp+lOh] == 212h ; 212h is the id I used for the 
new item 

mov ebx, 10049A2h ; byte [10049A2] stores the 

state of the menu item 

xor byte ptr [ebx] , 08h 
movzx eax, byte ptr [ebx] 

mov ebx, 10052BCh ; address where the menu handle 

is stored 

invoke CheckMenuItem, dword ptr [ebx] , 212h, eax 
. END IF 
ret 

changeltemStatus endp 



The only thing that requires an explanation is the value stored at 10049A2. This 
byte is: 

OOh if the item is unchecked 
08h if the item is checked 

Why not OOh and Olh? That is because I use this address for store both the state 
of the item and the menu item flag. 
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4.3. reveal Cell 

Before writing the function we must understand where the bombs are stored. 
We need to find a way to break when a cell is clicked. Exploiting the work we 
have done before, I will use another conditional breakpoint at 1001810; the idea 
is to break when the left mouse button is pressed (and then released). When this 
button is released, a WM_LBUTTONUP (202h) message is posted and so, the new 
condition will be: [ebp+0Ch]==202h 

Set the new breakpoint and click on a cell; Oily breaks, steps a little until Oily will 
tell you that you have found the place: 



01001C30 XOR EDI, EDI ; Cases 202 

(WM_LBUTTONUP) < — thx to Oily : -D 

01001C32 CMP DWORD PTR DS : [ 1 0 0 51 60 ] , EDI 

01001C38 JE winmine. 01001D4C 

01001C3E MOV DWORD PTR DS : [ 1 0 0 51 60 ] , EDI 

01001C44 CALL DWORD PTR DS : [ <&USER32 . ReleaseCaptu> ; ReleaseCapture 
01001C4A TEST BYTE PTR DS : [ 1 0 0 50 1 0 ] , BL 
01001C50 JE SHORT winmine . 01001C5C 

01001C52 CALL winmine . 0100373E ; hmmm. . . 

01001C57 JMP winmine . 01001D4C ; jump at the end 

of the procedure 

This is the code that manages the WM_LBUTTONUP command; as you can see 
there is a call to ReleaseCapture, a jump at the end of the procedure and a 
suspicious call. Maybe it's the call that will show us where the bombs are. Enter 
the call and take a glance at it: 

010037F2 MOV EDX,ECX ; ecx stores the number of the row of the 
clicked cell, eax stores the column 
010037F4 SHL EDX, 5 

010037F7 MOV DL, BYTE PTR DS : [EDX+EAX+1005700 ] ; dl = value stores 
in the clicked cell 

As you can see the first row is stored starting from 1005721 and it ends with the 
character with double value 0x10. Doing some tryes you will sooner understand 
which is the value that identify the bomb, it's 0x8F. 

Now that we know almost everything about the program, we have to show these 
damned bombs. I will try to explain you how to show them when the mouse pass 
over a cell; the bombs will remain showed until the end of the game. We can 
write the other function of the dll, the one I called revealCell. 
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What this function is supposed to do? Remembering that the function will be 
called on every single movement of the mouse (and let's suppose specialMode is 
enable), we have this scheme: 

1. Is the pointer inside the grid? 
No: quit from the function 

Yes: jump to 2 

2. Is the cell hiding a bomb? 
No: quit from the function 
Yes: reveal the bomb 



The point number 1 is necessary because the bombs can not be outside the grid 
while the point number 2 is the final check. The first cell (upper left corner) 
starts from coordinates 0x0C,0x37 and each cell is 0x10,0x10. Now that we 
know this information, we are able to implement the point number 1: a simple 'if 
based on the coordinates of the point where the mouse has been pressed. How 
did you know the x and the y coordinates where the mouse has been pressed? 
WMMOUSEMOVE will tell you; infact: 

WM_MOUSEMOVE 

fwKeys = wParam; 
xPos = LOWORD (lParam) ; 
yPos = HIWORD (lParam) ; 

Here is all that you need :-D 



Point number 2: first of all, we have to check whether a cell hides a bomb; this is 
not a problem because we know where the program stores the grid in memory 
and, we will easily perform this check but... how can I reveal a bomb under a 
cell? The answer is inside Graphics Device Interface (GDI) library; in this specific 
case we will use GDI to display a bitmap. My new version of the game displays 
the image that has the bomb on the red background (open the program with a 
resource editor, you will find the image I am talking about under "Bitmap-410- 
1033"). You can display the image you prefer taken from the proggie or created 
by you. To display this image I use these functions: GetDC, BitBIt, ReleaseDC. 
GetDC: retrieves a handle of a display Device Context (DC) for the client area of 
the specified window. 



HDC GetDC ( 

HWND hWnd // handle of window 

) ; 

This is the first function we have to call and it takes a single parameter. How do 
we know the handle of the window? Simple, these 3 functions are used by 
Minesweeper and so, the best way to understand how to use them is to bpx 
them and to look how they are used. This time, put a bpx on GetDC and run 
again the program. Ollydbg will surely break and the only thing you have to do is 
to take note of the address that contains the handle... 
BitBIt: it clips an image from a source DC to a destination DC. 



// key flags 

// horizontal position of cursor 
// vertical position of cursor 
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BOOL BitBlt ( 






HDC hdcDest, 


// 


handle to destination DC, the GetDC returned 


address 






int nXDest, 


// 


x-coordinate of destination rectangle's upper 


left corner 






int nYDest, 


// 


y-coordinate of destination rectangle's upper 


left corner 






int nWidth, 


// 


width of destination rectangle 


int nHeight, 


// 


height of destination rectangle 


HDC hdcSrc, 


// 


handle to source device context 


int nXSrc, 


// 


x-coordinate of source rectangle's upper-left 


corner 






int nYSrc, 


// 


y-coordinate of source rectangle's upper-left 


corner 






DWORD dwRop 


// 


raster operation code 



) ; 



Easy. As before, the best way for to understand how to use the function is to bpx 
it on Ollydbg. If you want to display another image you have to change the 6° 
parameter: hdcSrc. 



ReleaseDC: the ReleaseDC function releases a device context 

int ReleaseDC ( 

HWND hWnd, // handle of window 

HDC hDC // handle of device context 

) ; 



Ok, it's time to past the source of the revealCell procedure: 



. data 

oldRow db "0100499D" 
oldColumn db "0100 4 9A1" 



; Display the image under a cell 
revealCell proc 
pushad 

; Is the mouse pointer inside the grid ? 

.IF word ptr [ebp+14h] < OCh | | word ptr [ebp+16h] < 37h 

jmp @exitRevealCell 
. endif 

xor eax, eax 

mov ax, word ptr [ebp+14h] ; The x-coord of the mouse 
sub eax, OCh 
shr eax, 4 

add eax, 1 ; The number of the column -inside 

the grid- where the mouse is pressed 
xor ebx, ebx 

mov bx, word ptr [ebp+16h] ; The y-coord of the mouse 
sub ebx, 37h 
shr ebx, 4 

add ebx, 1 ; The number of the row where the 
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mouse is pressed 



mov edi, 100499Dh 

.IF ax == word ptr [edi] && bx == word ptr [edi+4] 

; It's in the same cell than before, no need to display the 
same image again 

jmp SexitRevealCell 
. END IF 



mov ecx, ebx 
mov edx, ecx 
shl edx, 5 
mov ebx, 1005700h 
add ebx, eax 
add ebx, edx 

; Reveal the cell if and only if there is an hidden bomb 
.IF byte ptr [ebx] == 8Fh 

mov edi, 100499Dh 

mov dword ptr [edi], eax 

mov dword ptr [edi+4], ecx 

push eax 



Save the column 
Save the row 



push ecx 

mov esi, 10052A8h 
push [esi] 
call GetDC 



Pointer to handle of window 
Handle of window 



mov 
pop 
pop 
shl 
add 
shl 
sub 



esi, 

ecx 

eax 

ecx, 

ecx, 

eax, 

eax, 



eax 



4 

27h 

4 

4 

1005AE0h 



mov ebx, 
push 0CC0020h 



SRCCOPY flag 



push 0 
push 0 

push [ebx+48] 
push lOh 
push lOh 
push ecx 
push eax 
push esi 
call BitBlt 
mov ebx, 10052A8h 
push esi 

push dword ptr [ebx] 
call ReleaseDC 
.ELSE 

mov dword ptr [edi], 0 
mov dword ptr [edi+4], 
. END IF 



Source DC, the image to display 
Height of the rectangle 
Width of the rectangle 
y coord 
x coord 

Handle to destination DC 



Handle 
Handle 



of DC 

of window 



@exitRevealCell : 

popad 

ret 

revealCell endp 
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5. Postamble: conclusion. 

The tutorial ends here, you only have to write a loader which will load the 
program and add the new functionality in memory. I will not tell how to write a 
simple loader, you will find all the sources inside the attached file. 

Playing with the new version of the game I have discovered a weird fact; set the 
special mode feature and make the first click over a bomb. Nothing happens, the 
bomb disappears; is there something wrong in our work? Eheh, no. Where the 
bomb has gone? (Hint: it is a specific characteristic of the program.. :-)) 



6. Greetings and thanks. 

I would like to thank all the friends at RCE messageboard and all the UIC members. As 
usual, feel free to mail me for comments, suggestions, bug reports and/or whatever you 
want... 



7. References: 

http://www.woodmann.net/fravia/menusspa.htm 
http://www.woodmann.net/fravia/TracePlus_MenuPatch.html 
http://www.woodmann.net/fravia/ kayaker_RegmonPlus.htm 
http://www.codeguru.com/mfc/comments/50642.shtml 
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